"John Alex. via Kerberos" <kerberos@mit.edu> writes: > In this instance, user passwords are stored in our LDAP server > (OpenLDAP), hashed. All our services currently validate user credentials > by attempting an LDAP bind either directly or via another protocol > implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).
> So my question is, is there a way to implement kerberos without > knowledge of the plaintext passwords, or do we have to somehow capture > the credentials during users' login to other services and then sync them > to the kdc db? Unfortunately, although Kerberos also stores all of the passwords hashed, the hashing algorithm used by Kerberos is almost certainly different than the hashing algorithm used by LDAP. You therefore need the cleartext password in order to create the KDC entry, since the point of hashing is that it's not reversible. The only exception would be if somehow Kerberos could be convinced to use the same hashing algorithm as LDAP, but I don't think that's the case. (The client and the KDC have to agree on a hashing algorithm, so this isn't a simple thing to do.) -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos